Back to skill
Skillv1.0.1
ClawScan security
Realtime Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 8:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with managing SenseAudio realtime agent sessions and only ask for the single, expected API key.
- Guidance
- This skill appears coherent: it only needs your SenseAudio API key and describes the expected REST endpoints and lifecycle. Before installing, verify you trust the publisher and that the API key is from https://senseaudio.cn. Use least-privilege keys if the platform supports them, store conv_id/room_id and any session state in a server-side store (not client-side or logs), and treat returned tokens as short-lived secrets (do not log or embed them in URLs). Monitor API usage and quotas for unexpected activity and rotate/revoke the key if anything looks suspicious. Note that this is an instruction-only skill that will cause the agent to make network calls to api.senseaudio.cn; if you do not want autonomous network access, restrict or review model-invocation settings in your agent/config before enabling the skill.
Review Dimensions
- Purpose & Capability
- okThe name/description match the declared requirement (SENSEAUDIO_API_KEY) and the referenced endpoints (api.senseaudio.cn) — there are no unrelated env vars, binaries, or config paths requested. The skill's stated purpose (list/invoke/status/leave) aligns with the documented endpoints.
- Instruction Scope
- okSKILL.md and references/agent.md confine instructions to agent lifecycle operations (list, invoke, status, leave), error handling, and guidance on storing conv_id/room_id and short-lived tokens. The instructions do not ask the agent to read unrelated files, other environment variables, or to exfiltrate data to third-party endpoints.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files; nothing will be written to disk by an installer. That represents the lowest install risk.
- Credentials
- okOnly a single credential (SENSEAUDIO_API_KEY) is required and documented. That is proportionate to the documented HTTP bearer-auth API usage. No additional secrets or unrelated credentials are requested.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated platform privileges and does not modify other skills' configurations. Model invocation is enabled (platform default), which is normal and expected for skills that perform API calls.